Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / update_engine / 94f025d2851d2e4ff7c8205fcf79044c7b463603^! / . / update_metadata.proto
commit94f025d2851d2e4ff7c8205fcf79044c7b463603[log] [tgz]
authorAndrew de los Reyes <adlr@chromium.org>Mon Aug 16 17:17:27 2010 -0700
committerAndrew de los Reyes <adlr@chromium.org>Mon Aug 16 17:17:27 2010 -0700
tree43e09731c6678b5c3f8fdce8a95d7686e2797ddb
parent9b11165c7bb64843118fc9e1c9c4746137271107 [diff] [blame]
AU: Support signatures in new-style update images.

I'm sending this CL out as a first step to supporting signatures in
the images.

BUG=5673
TEST=None

Review URL: http://codereview.chromium.org/3175010

diff --git a/update_metadata.proto b/update_metadata.proto
index 2fa8392..d849a8a 100644
--- a/update_metadata.proto
+++ b/update_metadata.proto

@@ -18,6 +18,10 @@
 //     char data[];
 //   } blobs[];
 //
+//   // These two are not signed:
+//   uint64 signatures_message_size;
+//   char signatures_message[];
+//
 // };
 
 // The DeltaArchiveManifest protobuf is an ordered list of InstallOperation
@@ -56,11 +60,31 @@
 // A sentinel value (kuint64max) as the start block denotes a sparse-hole
 // in a file whose block-length is specified by num_blocks.
 
+// Signatures: Updates may be signed by the OS vendor. The client verifies
+// an update's signature by hashing the entire download. The section of the
+// download the contains the signature is at the end of the file, so when
+// signing a file, only the part up to the signature part is signed.
+// Then, the client looks inside the download's Signatures message for a
+// Signature message that it knows how to handle. Generally, a client will
+// only know how to handle one type of signature, but an update may contain
+// many signatures to support many different types of client. Then client
+// selects a Signature message and uses that, along with a known public key,
+// to verify the download. The public key is expected to be part of the
+// client.
+
 message Extent {
   optional uint64 start_block = 1;
   optional uint64 num_blocks = 2;
 }
 
+message Signatures {
+  message Signature {
+    optional uint32 version = 1;
+    optional string data = 2;
+  }
+  repeated Signature signatures = 1;
+}
+
 message DeltaArchiveManifest {
   message InstallOperation {
     enum Type {
@@ -94,4 +118,11 @@
 
   // (At time of writing) usually 4096
   optional uint32 block_size = 3 [default = 4096];
+
+  // If signatures are present, the offset into the blobs, generally
+  // tacked onto the end of the file. We use an offset rather than
+  // a bool to allow for more flexibility in future file formats.
+  // If this is absent, it means signatures aren't supported in this
+  // file.
+  optional uint64 signatures_offset = 4;
 }